Monday, April 21, 2014

L2 security – Spanning Tree Protocol features.

a) BPDU Guard – it’s a feature that prevents access ports from
participating in the spanning tree process. You can enable the feature
globally or on an interface:

ASW1(config)#spanning-tree portfast bpduguard default

Below we can see what happens when we enable the interface and then we plug switch to this port:

*Mar316:16:44.459:%LINEPROTO-5-UPDOWN:Line protocol on InterfaceVlan1, changed state to up
*Mar316:16:44.853:%LINK-3-UPDOWN:InterfaceFastEthernet0/24, changed state to up
*Mar316:16:44.904:%SPANTREE-2-BLOCK_BPDUGUARD:Received BPDU on portFastEthernet0/24with BPDU Guard enabled.Disabling port.*Mar316:16:44.904:%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24,putting Fa0/24in err-disable state
*Mar316:16:44.912:%LINEPROTO-5-UPDOWN:Line protocol on InterfaceVlan1, changed state to down
*Mar316:16:46.909:%LINK-3-UPDOWN:InterfaceFastEthernet0/24, changed state to down

To avoid shutting down the port, we can enable the same action only for offending Vlan:

ASW1(config)#errdisable detect cause bpduguard shutdown vlanMar316:24:21.663:%LINEPROTO-5-UPDOWN:Line protocol on InterfaceVlan1, changed state to up
*Mar316:24:22.032:%SPANTREE-2-BLOCK_BPDUGUARD_VP:Received BPDU on port Fa0/24, vlan 1with BPDU Guard enabled.Disabling vlan.*Mar316:24:22.032:%PM-4-ERR_DISABLE_VP: bpduguard error detected on Fa0/24,vlan 1.Puttingin err-disable state.*Mar316:24:22.041:%LINEPROTO-5-UPDOWN:Line protocol on InterfaceVlan1,changed state to down*Mar316:24:22.041:%LINK-3-UPDOWN:InterfaceFastEthernet0/24, changed state to up
*Mar316:24:23.047:%LINEPROTO-5-UPDOWN:Line protocol on InterfaceFastEthernet0/24, changed state to up

c) Root guard
The STP feature prevents port, on which you enable the feature, from
becoming the root port. It means the switch connected to that interface
can’t be the root switch in this network segment: ASW1, DS21 and DSW2.
ASW2 STP messages are blocked because the port has status: ‘root
inconsistent’, which means there is no STP communication between them
and they started a new root switch election.

d) Loop guard
The feature prevents an interface to become a designate port. Imagine
a failure where ASW2 (root switch) can’t receive any BPDU from DSW1 but
DSW1 is not aware of it. Let’s see what happens: